Fuel retailer Olerex discovered on Monday that criminals have exploited a security weakness in its system to gain access to information of roughly 100,000 transactions, including names and document data of clients. Even though the vulnerability was patched by Tuesday, the database was downloaded 71 times.
“We are talking about the data of approximately 100,000 transactions that mostly included names, personal identification codes and fuel card limits etc. It is quite an extensive leak. To the best of our knowledge, the database was downloaded 71 times, which is troubling,” said Deputy Director of the State Information System’s Authority (RIA) Uku Särekanno.
Current information suggests leaked data did not include credit card numbers.
Information available to Postimees suggests Olerex discovered the leak on July 8 and notified RIA on July 9 when the vulnerability had been patched.
Access to the data was created due to Olerex moving its servers. The database was freely available online for a month and a half. It is not clear yet when the leaked transaction and client information was from.
The incident is the third major data leak in Estonia inside the past week.
It turned out on July 3 that data of roughly 14,000 users of online shop Charlot had been freely available for an unspecified time, including names, email addresses and online shop passwords. The data was accessible in the form of ordinary text documents that could be found using Google’s search engine. In-house documents were also publicly available. RIA launched supervision proceedings regarding the leak in July 10.
On July 9, Canadian company Bewegen that operates rental bikes in Tartu reported that a security vulnerability allowed unauthorized access to personal information of 20,185 registered users. Leaked data included names, email addresses, phone numbers and geotags. The personal identification codes of 7,180 people were also made public.
Särekanno said that it is likely criminals discovered the Olerex leak using a robot designed to search for such vulnerabilities. Most such attempts are fruitless, but when a company has been less than diligent in protecting its data or in case of human error, data can become public.
“It is like a burglar going from house to house checking whether the front door is locked,” Särekanno said.
Once the address was known, anyone could have accessed the data online. RIA believes data of Olerex clients could have been downloaded in Estonia and abroad.
Client data obtained in this manner is most often used for blackmail, but also for spam and to be sold on the black market. Neither RIA not the police have received a single complaint in connection with the leaked data at this time.
Despite repeated requests, Olerex had not commented on the data leak by yesterday evening.
The data protection inspectorate told Postimees that because the specifics of the leak have not been ascertained in full, it has not been decided whether proceedings will be launched. Olerex has had problems with client data in the past, recently toward the beginning of the year.
Data protection lawyer Karmen Turk said that last year’s GDPR obligates companies to take greater care of personal information. The data protection watchdog could fine Olerex for the leak.
It is more difficult for clients to demand compensation from the fuel seller. “One must be able to prove that one has suffered damage because of Olerex’ carelessness in processing personal data and that there is direct link,” the specialist explained. “It is impossible to file a claim for damages just like that.”